Domain Shadowing Attack Vector Lands in Angler Exploit Kit

Cisco claims up to 10,000 domains were involved in domain shadowing, a new Angler exploit kit attack vector. GoDaddy holds many of these domains.

A new attack vector, known as domain shadowing, is being used in the Angler Exploit kit and has already affected 10,000 domains, the majority of which are associated with domain registrar GoDaddy.
Cisco's Talos research group first reported the domain shadowing attack, which involves attackers creating new subdomains on a valid domain. A subdomain, for example, is a prefix that can be registered, such as "mail.example.com," where the mail prefix is the subdomain.
The basic idea is that the domain holders are not actively monitoring their domains, enabling attackers to create new subdomains, which are then used in the domain shadowing exploits.
While GoDaddy domains have been found to be impacted by the domain shadowing attack, both Cisco and GoDaddy emphasize that the issue is not a breach or a security vulnerability in GoDaddy's own infrastructure.

"To be clear, this is not a security issue on GoDaddy's part," Craig Williams, security outreach manager for Cisco Talos, told eWEEK. "This is likely due to users reusing login information on multiple sites and/or falling victim to phishing attacks or keyloggers."

In a statement emailed to eWEEK, GoDaddy Chief Information Security Officer Todd Redfoot noted that the company is aware of the Angler exploit being reported.
"This is not a GoDaddy system vulnerability, but an industry-wide attack infecting personal computers by exploiting outdated software," Redfoot stated. "We are actively working to secure impacted customer accounts and remove offending subdomains."
In terms of how domain holders at GoDaddy and elsewhere were falling victim to the new Angler attack, Williams noted that Angler is able to hijack accounts due to users falling victims to other attacks and reusing login information.
According to Cisco data, a real spike in Angler's domain shadowing activities started to occur in December and has continued to grow since then.
GoDaddy recommends that its customers install the latest software updates and run antivirus and anti-malware scans on all of their personal devices. Users should adhere to standard password best practices to protect themselves from domain shadowing, Williams said. Those standard best practices include changing passwords occasionally and using a unique password for each site. Williams also suggested that users turn on two-factor authentication when possible.
Go Daddy does offer two-factor authentication to its users, which could further help reduce the risk, he said. With two-factor authentication, a user needs a second factor or password to gain access. The second factor in GoDaddy's system is a validation code that is sent via Short Message Service (SMS) to the user's phone.
"Additionally, users should remain vigilant and double check on their domain registrations to ensure their accounts have not been compromised," Williams said.
The new domain shadowing exploit is just the latest capability to be added to the Angler exploit kit, which has become increasingly popular with attackers in recent months.
Intel Security's February 2015 McAfee Labs Threats report identified Angler as the most prevalent exploit kit in use in 2014, representing 26 percent of all exploit kits seen by McAfee Labs.
"Angler is one of the most prevalent exploit kits in the wild, and it continues to differentiate itself from other kits with its unique features," Raj Samani, vice president and CTO, Intel Security, told eWEEK. "It regularly customizes the landing page and exploits with new obfuscation techniques and variants to avoid getting detected by security products."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.